@rabryst Store a nonce that invalidates after an amount of time in the session and the database. Re-issue before it runs out. If hackers find out a nonce, good luck, you've got x minutes and no user ids to cycle through.
@rabryst By default they are stored in the filesystem (used to be /tmp), that's why people put them in the DB. Anyway, if you are requesting the user info from the DB anyway, why store them in the session?